Harden browser connector: HTTPS enforcement, CSS selector validation

[haasonsaas]

Summary

The browser connector accepts origins and selectors with minimal validation. For a credential fill system, the validation bar should be higher.

Current state

• internal/connectors/browser/connector.go — validates origin as parseable URL, checks selectors are non-empty
• internal/bootstrap/service.go:113-114 — hardcoded default CSS selectors (#username, #password)
• No HTTPS enforcement on origins
• No CSS selector syntax validation
• Credentials stored as plain text in the connector's in-memory config

Required work

• Enforce HTTPS: reject origins without https:// scheme (with an explicit dev-mode override for http://localhost)
• Validate CSS selectors: parse selectors to confirm they're syntactically valid CSS before accepting the configuration
• Remove hardcoded default selectors: require explicit selector configuration per origin — silent defaults are a footgun
• Selector allowlisting: consider restricting selectors to ID and specific attribute patterns to prevent overly broad selectors that could fill unintended fields
• Document the browser extension contract: what messages the extension sends, what the broker responds with, and the security properties of the channel

Files

• internal/connectors/browser/connector.go — validation logic
• internal/bootstrap/service.go — remove default selectors, require explicit config

Priority

Medium.

🤖 Generated with Claude Code